arthead - stock.adobe.com

The 10 most common ERP security issues and ways to fix them

Today's ERP systems are exposed like never before. Learn about the most common ERP security issues companies are facing and how IT and security teams can address them.

As concerns grow around ransomware as well as application and supply chain security risks, ERP systems are exposed like never before, with more potential attack surfaces and vulnerabilities.

Most of these security issues are nothing new, but they've grown in both prevalence and complexity. The first step to improving company security is acknowledging today's challenges.

Here are the most common ERP security issues and how to address them.

1. Unknown vulnerabilities

Many organizations haven't fully identified their security gaps, let alone addressed them. The most common ERP security problem is IT and security staff not knowing what they don't know.

IT leaders must first gain a thorough knowledge of their company's ERP security risks before taking any further action. Once they understand their organization's unique threats, vulnerabilities and related gaps, they can take the proper steps to minimize exposure and limit the effects when a security incident does occur.

2. Missing software updates

Workstations and servers that are part of the ERP system are often missing needed software updates. These omissions can include outdated ERP software as well as inadequately maintained underlying operating systems and supporting applications. Lack of updates can lead to anything from ransomware infections to denial-of-service attacks to full remote unauthenticated access.

All too often, end users are expected to update their systems, especially as it relates to third-party software. IT teams must regularly update software and implement security patches, including a formal patch program, even though doing so might lead to critical systems experiencing system outages and downtime.

3. Weak ERP authentication

Inadequate logins can include weak passwords, shared accounts and a lack of multifactor authentication. At a minimum, ERP authentication should be as strong as internal domain account controls. This standard usually isn't met if the system is simply using unique credentials.

Even when formal controls include domain integration and single sign-on, password policies are often weak, allowing users to create easily guessed or cracked passwords. Additional controls such as CAPTCHAs and intruder lockout after a small number of failed attempts are essential components for preventing further exposure.

IT leaders must take action to strengthen logins where needed to avoid security problems, which can include unauthorized access and system downtime.

4. Web application-specific vulnerabilities

Some web applications allow SQL injection and privilege escalation, and they possess business logic flaws that allow users to manipulate parts of the system, including aspects belonging to other parties in a multi-tenant setup.

IT leaders must be aware of which applications include these potential problems and include all web-related components in ongoing vulnerability and penetration testing efforts.

5. Open network shares

Certain ERP systems -- usually older ones -- require network users to have access to the ERP system folders. This practice is extremely unsafe and can lead to ransomware and unauthorized access for the casual user, or attacker, who is browsing the network.

IT leaders should consider a software change if the company's current ERP system mandates these permissions. If a software change isn't possible, they should implement compensating controls to minimize this risk.

6. Lack of communication about security issues

Employees must notify IT or other tech leaders immediately when an ERP security issue occurs. Employees might assume that IT and security staff are taking care of any issues, but IT and security staff may not even know about them.

IT leaders must educate employees about the importance of notifying IT about any issues so the right people are aware before the problem becomes even bigger. When employees do so, IT staff should reward them publicly for their efforts to encourage that behavior in the future.

7. Lack of incident response planning

Many organizations have not yet documented a formal incident response plan for protecting or recovering their ERP system.

IT leaders must make a plan now to avoid scrambling during a crisis. Staff should practice incident response procedures through tabletop exercises and make ongoing updates as needed.

8. Lack of proper testing

IT leaders can't address ERP security issues if they don't know about them. They must implement periodic and consistent vulnerability scans and penetration testing that go beyond IT control audits.

This testing should include looking at the ERP environment from multiple angles using the various role levels and with and without user authentication as well as examining these systems with security controls both enabled and disabled. Carrying out these tests will lead to the identification of more vulnerabilities.

9. Unclear employee expectations

Many organizations have not properly documented their security policies, and many employee handbooks barely mention employee computer usage expectations. The disconnection that comes with remote work can muddy the waters even further.

A security committee should work alongside legal counsel and human resources to ensure employee computer usage rules are clear and that employees are well-trained on security issues, acting as part of the team rather than working against it.

10. Lack of ongoing education for technical staff

Tech staff must stay up to date on the most common ERP security issues as those issues grow and change and must understand the latest security concepts and practices.

Unnecessary risk can occur if staff are using out-of-date approaches and security controls, making continuing education essential.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Kevin specializes in performing vulnerability and penetration tests as well as virtual CISO consulting work.

Dig Deeper on ERP administration and management